diff options
Diffstat (limited to 'runtime/staprun')
-rw-r--r-- | runtime/staprun/common.c | 1 | ||||
-rw-r--r-- | runtime/staprun/modverify.c | 43 | ||||
-rw-r--r-- | runtime/staprun/modverify.h | 7 | ||||
-rw-r--r-- | runtime/staprun/staprun.c | 18 | ||||
-rw-r--r-- | runtime/staprun/staprun.h | 1 | ||||
-rw-r--r-- | runtime/staprun/staprun_funcs.c | 27 |
6 files changed, 65 insertions, 32 deletions
diff --git a/runtime/staprun/common.c b/runtime/staprun/common.c index 26b166c2..6c199616 100644 --- a/runtime/staprun/common.c +++ b/runtime/staprun/common.c @@ -30,6 +30,7 @@ int need_uprobes; int daemon_mode; off_t fsize_max; int fnum_max; +int unprivileged_user = 0; /* module variables */ char *modname = NULL; diff --git a/runtime/staprun/modverify.c b/runtime/staprun/modverify.c index 688734c0..d9ccc094 100644 --- a/runtime/staprun/modverify.c +++ b/runtime/staprun/modverify.c @@ -29,6 +29,7 @@ #include <certt.h> #include "nsscommon.h" +#include "modverify.h" static int verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pubKey) @@ -48,7 +49,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu { fprintf (stderr, "Unable to obtain information on the signature file %s.\n", signatureName); nssError (); - return -1; + return MODULE_UNTRUSTED; /* Not signed */ } /* Open the signature file. */ @@ -57,7 +58,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu { fprintf (stderr, "Could not open the signature file %s\n.", signatureName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } /* Allocate space to read the signature file. */ @@ -66,7 +67,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu { fprintf (stderr, "Unable to allocate memory for the signature in %s.\n", signatureName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } /* Read the signature. */ @@ -74,18 +75,18 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu if (numBytes == 0) /* EOF */ { fprintf (stderr, "EOF reading signature file %s.\n", signatureName); - return -1; + return MODULE_CHECK_ERROR; } if (numBytes < 0) { fprintf (stderr, "Error reading signature file %s.\n", signatureName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } if (numBytes != info.size) { fprintf (stderr, "Incomplete data while reading signature file %s.\n", signatureName); - return -1; + return MODULE_CHECK_ERROR; } signature.len = info.size; @@ -97,10 +98,10 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu SEC_OID_UNKNOWN, NULL, NULL); if (! vfy) { - fprintf (stderr, "Unable to create verification context while verifying %s using the signature in %s.\n", - inputName, signatureName); - nssError (); - return -1; + /* The key does not match the signature. This is not an error. It just means + we are currently trying the wrong certificate/key. i.e. the module + remains untrusted for now. */ + return MODULE_UNTRUSTED; } /* Begin the verification process. */ @@ -110,7 +111,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu fprintf (stderr, "Unable to initialize verification context while verifying %s using the signature in %s.\n", inputName, signatureName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } /* Now read the data and add it to the signature. */ @@ -119,7 +120,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu { fprintf (stderr, "Could not open module file %s.\n", inputName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } for (;;) @@ -132,7 +133,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu { fprintf (stderr, "Error reading module file %s.\n", inputName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } /* Add the data to the signature. */ @@ -141,7 +142,7 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu { fprintf (stderr, "Error while verifying module file %s.\n", inputName); nssError (); - return -1; + return MODULE_CHECK_ERROR; } } @@ -152,10 +153,10 @@ verify_it (const char *inputName, const char *signatureName, SECKEYPublicKey *pu if (secStatus != SECSuccess) { fprintf (stderr, "Unable to verify signed module %s. It may have been altered since it was created.\n", inputName); nssError (); - return 0; + return MODULE_ALTERED; } - return 1; + return MODULE_OK; } int verify_module (const char *module_name, const char *signature_name) @@ -178,7 +179,7 @@ int verify_module (const char *module_name, const char *signature_name) fprintf (stderr, "Unable to initialize nss library using the database in %s.\n", dbdir); nssError (); - return -1; + return MODULE_CHECK_ERROR; } certList = PK11_ListCerts (PK11CertListAll, NULL); @@ -187,7 +188,7 @@ int verify_module (const char *module_name, const char *signature_name) fprintf (stderr, "Unable to find certificates in the certificate database in %s.\n", dbdir); nssError (); - return -1; + return MODULE_UNTRUSTED; } /* We need to look at each certificate in the database. */ @@ -203,13 +204,13 @@ int verify_module (const char *module_name, const char *signature_name) fprintf (stderr, "Unable to extract public key from the certificate with nickname %s from the certificate database in %s.\n", cert->nickname, dbdir); nssError (); - return -1; + return MODULE_CHECK_ERROR; } /* Verify the file. */ rc = verify_it (module_name, signature_name, pubKey); - if (rc == 1) - break; /* Verified! */ + if (rc == MODULE_OK || rc == MODULE_ALTERED || rc == MODULE_CHECK_ERROR) + break; /* resolved or error */ } /* Shutdown NSS and exit NSPR gracefully. */ diff --git a/runtime/staprun/modverify.h b/runtime/staprun/modverify.h index ad212e2b..9abf62d4 100644 --- a/runtime/staprun/modverify.h +++ b/runtime/staprun/modverify.h @@ -1 +1,8 @@ int verify_module (const char *module_name, const char *signature_name); + +/* return codes for verify_module. */ +#define MODULE_OK 1 +#define MODULE_UNTRUSTED 0 +#define MODULE_CHECK_ERROR -1 +#define MODULE_ALTERED -2 + diff --git a/runtime/staprun/staprun.c b/runtime/staprun/staprun.c index 42b72ff1..917990dc 100644 --- a/runtime/staprun/staprun.c +++ b/runtime/staprun/staprun.c @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2008 Red Hat, Inc. + * Copyright (C) 2005-2009 Red Hat, Inc. * */ @@ -139,11 +139,21 @@ static int enable_uprobes(void) static int insert_stap_module(void) { - char bufsize_option[128]; + char special_options[128]; + char *bufptr = special_options; - if (snprintf_chk(bufsize_option, 128, "_stp_bufsize=%d", buffer_size)) + /* Add the _stp_bufsize option. */ + if (snprintf_chk(bufptr, sizeof (special_options), "_stp_bufsize=%d", buffer_size)) return -1; - return insert_module(modpath, bufsize_option, modoptions); + + /* Add the _stp_unprivileged_user option. */ + bufptr += strlen (bufptr); + if (snprintf_chk(bufptr, + sizeof (special_options) - (bufptr - special_options), + " _stp_unprivileged_user=%d", unprivileged_user)) + return -1; + + return insert_module(modpath, special_options, modoptions); } static int remove_module(const char *name, int verb); diff --git a/runtime/staprun/staprun.h b/runtime/staprun/staprun.h index acc533b2..5159f1bd 100644 --- a/runtime/staprun/staprun.h +++ b/runtime/staprun/staprun.h @@ -166,6 +166,7 @@ extern int need_uprobes; extern int daemon_mode; extern off_t fsize_max; extern int fnum_max; +extern int unprivileged_user; /* getopt variables */ extern char *optarg; diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c index 020bb312..6e72fd72 100644 --- a/runtime/staprun/staprun_funcs.c +++ b/runtime/staprun/staprun_funcs.c @@ -20,6 +20,7 @@ #include <sys/utsname.h> #include <grp.h> #include <pwd.h> +#include <assert.h> extern long init_module(void *, unsigned long, const char *); @@ -225,18 +226,18 @@ check_signature(void) /* Use realpath() to canonicalize the module path. */ if (realpath(modpath, module_realpath) == NULL) { perr("Unable to canonicalize signature path \"%s\"", modpath); - return -1; + return MODULE_CHECK_ERROR; } /* Now add the .sgn suffix to get the signature file name. */ if (strlen (module_realpath) > PATH_MAX - 4) { err("Path \"%s\" is too long.", modpath); - return -1; + return MODULE_CHECK_ERROR; } sprintf (signature_realpath, "%s.sgn", module_realpath); - dbug(2, "verify_module (%s, %s)\n", module_realpath, signature_realpath); rc = verify_module (module_realpath, signature_realpath); + dbug(2, "verify_module returns %d\n", rc); return rc; @@ -419,8 +420,10 @@ check_groups (void) gid = stapusr_gid; } - if (gid != stapusr_gid) + if (gid != stapusr_gid) { + unprivileged_user = 1; return 0; + } } /* At this point the user is only a member of the 'stapusr' @@ -450,6 +453,14 @@ int check_permissions(void) int check_groups_rc; int check_signature_rc = 0; +#if HAVE_NSS + /* Attempt to verify the module against its signature. Return failure + if the module has been tampered with (altered). */ + check_signature_rc = check_signature (); + if (check_signature_rc == MODULE_ALTERED) + return 0; +#endif + /* If we're root, we can do anything. */ if (getuid() == 0) return 1; @@ -459,15 +470,17 @@ int check_permissions(void) if (check_groups_rc == 1) return 1; -#if HAVE_NSS /* The user is an ordinary user. If the module has been signed with * a "blessed" certificate and private key, then we will load it for * anyone. */ - check_signature_rc = check_signature (); - if (check_signature_rc == 1) +#if HAVE_NSS + if (check_signature_rc == MODULE_OK) return 1; + assert (check_signature_rc == MODULE_UNTRUSTED || check_signature_rc == MODULE_CHECK_ERROR); #endif + /* We are an ordinary user and the module was not signed by a trusted + signer. */ err("ERROR: You are trying to run stap as a normal user.\n" "You should either be root, or be part of either " "group \"stapdev\" or group \"stapusr\".\n"); |